Hackers meet professor's challenge to pen test his online world

Taylor Armerding |
Dec. 5, 2013

An NYU professor challenged a team of hackers to break into his online world. They did, but it was not easy or cheap

Everybody knows, or ought to know, about the risks of being hacked. But it's easy to slip into a level of denial about an amorphous threat and get careless if you don't think anybody is out specifically to get you.

But what if a group of somebodies is out to get you, and you know they are and exactly who they are, because you arranged for them to try? That is what New York University Professor and PandoDaily editor Adam Penenberg did with Trustwave's advanced research and ethical hacking team, SpiderLabs. He challenged them to conduct a personal "pen test" on him.

And the answer, at least in his case, is that knowing that they were out to get him didn't stop them. He got hacked. As he wrote, in an account of the project last month, while conducting a class at NYU, "without warning, my computer freezes.

"I fruitlessly tap on the keyboard as my laptop takes on a life of its own and reboots. Seconds later the screen flashes a message. To receive the four-digit code I need to unlock it I'll have to dial a number with a 312 area code. Then my iPhone, set on vibrate and sitting idly on the table, beeps madly."

That was just the visible and audible, damage, however. By the time Penenberg's computer froze, the Trustwave team, led by Nicholas Percoco — at the time SpiderLabs' senior vice president (he has since left to become a director in the information practice at KPMG) — had gained access to his family's W2s (with Social Security numbers), copies of credit card and bank statements, his checking and savings accounts, a corporate bond account, credit card statements, online bills, his Amazon, Facebook and Twitter accounts and his iCloud password, through which they put both his iPhone and laptop into stolen mode.

The team did a couple of relatively harmless things to demonstrate its success, like ordering 100 plastic spiders from Amazon and having them shipped to his home, and posting some fake tweets.

But the bottom line was, once they were inside his laptop, there were, "few firewalls protecting my data, and (they were) mostly in the form of a pastiche of passwords and log-in credentials. These, I quickly learned, were not secure."

Therefore, "I don't delude myself into thinking I'm protected from prying eyes — the government's or anyone else's, if they belong to someone with the right combination of skills, resources and determination," he wrote.

There would appear to be some moderately reassuring news in this story, however, at least for those who aren't prominent or wealthy enough to become a specific target for the black hats. While the SpiderLabs team was able to hack Penenberg, it took weeks, was difficult, complicated and very expensive. Without the specific agreement, he likely wouldn't have been worth the trouble.